purple

Purple AI MCP Server exposes SentinelOne services through the Model Context Protocol in a read-only manner. You can access capabilities such as querying Purple AI for security questions, running PowerQuery analytics on the data lake, listing and investigating alerts and vulnerabilities, analyzing misconfigurations, and querying inventory across endpoints, cloud resources, identities, and network devices. The server supports stdio, sse, and streamable-http transports, so you can connect with a wide range of MCP clients. To get started, configure your MCP client to launch the Purple MCP server via uvx, pointing to the purple-mcp repository and using stdio mode, after providing your console token and console base URL. If you want to connect from other tools (Claude, Claude Code, Codex, Zed, etc.), you can embed the uvx invocation in the appropriate client configuration or command line as shown in the examples, or run in streamable-http mode for debugging with mcp-remote.

Prerequisites:

• Access token for the SentinelOne Console (Account or Site level)
• Internet access from the machine where you run the MCP server
• uv (via uvx) installed and available in your shell

Installation steps:

1. Install uv if you don’t have it already:
   • Run the recommended install command from the UV project: curl -LsSf https://astral.sh/uv/install.sh | sh
2. Set required environment variables (replace placeholders with your values):
   • export PURPLEMCP_CONSOLE_TOKEN="your_token"
   • export PURPLEMCP_CONSOLE_BASE_URL="https://your-console.sentinelone.net"
3. Run the Purple MCP server using uvx in stdio mode (as configured in mcp_config):
   • uvx --from git+https://github.com/Sentinel-One/purple-mcp.git purple-mcp --mode stdio

Alternative deployment options mentioned in the repository:

• Docker: Build and run a container with the appropriate environment variables set (PURPLEMCP_CONSOLE_TOKEN and PURPLEMCP_CONSOLE_BASE_URL). See the Quick Start Docker section in the README for exact commands.
• Other clients (e.g., Claude, Zed) can be configured to start the server in stdio or streamable-http mode using the same environment variables.

Tips and considerations:

• Purple AI MCP is read-only; it cannot modify your SentinelOne account or objects. Consider placing it behind a reverse proxy or load balancer for network-exposed deployments.
• Tokens must grant access to a single Account or Site. If multi-site access is required, deploy multiple MCP servers with account/site-specific tokens.
• Supported transport modes include stdio (default), sse, and streamable-http. Environment variable PURPLEMCP_TRANSPORT_MODE can be used to select the mode if needed.
• For debugging or multi-client setups, you can use streamable-http mode and connect via mcp-remote. Example workflows are provided in the README under "Other Clients".
• Ensure PURPLEMCP_CONSOLE_BASE_URL uses the correct console domain for your SentinelOne tenant. Do not expose the MCP without authentication when using a public network.